Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

Jack Bates jbates at brightok.net
Mon Jun 18 16:32:59 UTC 2007

Suresh Ramasubramanian wrote:
> MAAWG's port 25 management document is kind of based on consensus. Joe
> is a senior tech advisor at MAAWG. contributed substantially to that
> document .. and those two presentations were made at a maawg (san
> diego in 2005 if I remember right) so ..

Joe also pointed out the biggest problem with blocking port 25; it pushes the 
abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to 
be regulated more closely. Support must be increased to deal with customers that 
have legitimate large scale outbound needs and will need smarthost restrictions 
lifted. A certain amount of spam leakage must be expected out of the smarthost, 
but most recipients won't know or take the time to tell the difference. This 
leads to more blocking of the smarthosts, which causes more issues for a larger 
number of customers.

I'd rather monitor and filter traffic patterns on port 25 (and the various other 
ports that are also often spewing other things) than block it. It's not unusual 
to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025. 
A detection of both network scans and correlating inbound connections to 
outbound tcp/25 leads to a lot of good proactive automation. Spam abuse may be 
the most publicly annoying use of trojans/bots, but it's probably the least 
destructive use (debatable).


More information about the NANOG mailing list